Heimdall
Securing MCP servers against LotL abuse
- year
- 2025
- w/
- ITU & Anthropic Bug Bounty
- role
- ethical hacker, researcher, developer
- at
- ITU · Copenhagen
- link
- visit ↗
Heimdall (formerly Claude Defender) grew out of my security research into the Model Context Protocol (MCP) ecosystem. During this work, I identified multiple vulnerabilities in Claude Desktop’s MCP implementation, demonstrating how Claude Desktop could be abused as a Living off the Land (LotL) execution vector, leading to remote code execution, and how modified MCP servers could remain trusted through tool poisoning. I responsibly disclosed the findings to Anthropic, resulting in one duplicate report and one informative report, where the behaviour was acknowledged but considered outside their threat model. The research formed the basis of my university dissertation, which received the highest possible grade.
Around the same time, the tool poisoning attack pattern had not yet been formally published. As part of this research, I independently explored the technique and later built Heimdall as a practical mitigation. Initially developed for Claude Desktop, the project has since evolved into a cross-platform integrity monitor for the wider MCP ecosystem, supporting Claude Desktop, Claude Code, Cursor, Windsurf, LM Studio, and custom MCP configurations.
Rather than attempting to detect malicious behaviour directly, Heimdall focuses on ensuring that trusted MCP servers remain trustworthy. It continuously monitors the files AI agents rely on, providing immediate visibility whenever an MCP configuration or server changes unexpectedly.
A key challenge for integrity monitoring is protecting the trusted baseline itself. Heimdall addresses this through trustroot, a cryptographically authenticated trust store that signs every integrity record using a keyed BLAKE3 MAC. The signing key is stored inside the operating system’s secure credential store rather than on disk, making it significantly more difficult for an attacker with only file-write access to silently replace both the monitored files and the baseline used to verify them.
Heimdall is open source and serves as both a defensive tool and a proof of concept for strengthening the security of local AI agents and MCP-based workflows.
Future work focuses on extending Heimdall’s trust model beyond the local machine. Planned improvements include signed software releases with reproducible build metadata, remote anchoring of the cryptographically authenticated audit chain, deeper correlation between runtime behaviour and configuration changes, and replacing the current WebView-based interface with a native desktop frontend to further reduce resource usage. Longer term, the project aims to generalise its integrity model beyond today’s MCP ecosystem as local AI tooling continues to evolve.
| Mode | Footprint |
|---|---|
| Headless watcher | ~7.5 MB RAM · ~0.1% CPU · event-driven (no polling) |
| Desktop GUI | ~35 MB engine + WebView2 runtime (mostly shared OS pages) |
The headless watcher performs effectively no work while idle, waking only when a monitored MCP configuration or server file changes. Detection is typically sub-second, using an event-driven filesystem watcher rather than periodic polling. The desktop application uses the same detection engine while providing an interface for reviewing changes, intrusion analysis, quarantine, and audit reporting.
Or, if you still want to keep the installation paths (since they’re useful), simply update them and separate them from the performance section:
| OS | State directory |
|---|---|
| Windows | %LOCALAPPDATA%\MCPMonitor\ |
| macOS | ~/Library/Application Support/MCPMonitor/ |
| Linux | ~/.local/share/MCPMonitor/ |
also see